{"$schema": "https://c3voc.de/schedule/schema.json", "generator": {"name": "pretalx", "version": "2024.3.1"}, "schedule": {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/schedule/", "version": "0.14", "base_url": "https://cfp.all-systems-go.io", "conference": {"acronym": "all-systems-go-2023", "title": "All Systems Go! 2023", "start": "2023-09-13", "end": "2023-09-14", "daysCount": 2, "timeslot_duration": "00:05", "time_zone_name": "Europe/Berlin", "colors": {"primary": "#000000"}, "rooms": [{"name": "Main Hall", "guid": "923492fb-f789-5e5c-92f7-37421d61d90b", "description": null, "capacity": null}, {"name": "Dome", "guid": "afd36b55-3023-5286-b813-244ed91d7713", "description": null, "capacity": null}], "tracks": [], "days": [{"index": 1, "date": "2023-09-13", "day_start": "2023-09-13T04:00:00+02:00", "day_end": "2023-09-14T03:59:00+02:00", "rooms": {"Main Hall": [{"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/X89KG9/", "id": 239, "guid": "3da0ea83-2503-5f6b-aae6-81156c22f5a9", "date": "2023-09-13T09:30:00+02:00", "start": "09:30", "logo": null, "duration": "00:05", "room": "Main Hall", "slug": "all-systems-go-2023-239-opening-session-of-all-systems-go-2023", "title": "Opening session of All Systems Go! 2023", "subtitle": "", "track": null, "type": "Lightning talk", "language": "en", "abstract": "A welcome session for All Systems Go!", "description": "", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/ZEVAWH/", "id": 185, "guid": "0422739e-4cd8-5e63-8965-dc9d027fe794", "date": "2023-09-13T09:45:00+02:00", "start": "09:45", "logo": null, "duration": "00:40", "room": "Main Hall", "slug": "all-systems-go-2023-185-unified-kernel-images-ukis-", "title": "Unified Kernel Images (UKIs)", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "UKIs are a fundamental building block of modern measured and trusted boot chains. Let's have a look at what happened in the area and discuss recently added new concepts, such as \"add-ons\", new PE sections, build tools and more.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "4652e1d6-54e2-54b4-9d86-6cfaa34ae195", "id": 78, "code": "UNJXNH", "public_name": "Lennart Poettering", "avatar": null, "biography": "I work on systemd.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/ZSTFTF/", "id": 230, "guid": "1ea7efbc-402f-5c4e-b237-dcdfdc81a5dd", "date": "2023-09-13T10:30:00+02:00", "start": "10:30", "logo": null, "duration": "00:40", "room": "Main Hall", "slug": "all-systems-go-2023-230-gaining-linux-insights-with-inspektor-gadget-an-ebpf-tool-and-systems-inspection-framework", "title": "Gaining Linux insights with Inspektor Gadget, an eBPF tool and systems inspection framework", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "In this presentation, we introduce Inspektor Gadget, a tool designed for the creation, deployment, and execution of eBPF programs (gadgets) across Kubernetes and Linux environments. Inspektor Gadget encapsulates eBPF programs into OCI containers, providing well-understood and easily distributable units.\r\n\r\nWe'll delve into Inspektor Gadget's automatic data enrichment process, transforming complex kernel information into high-level, understandable concepts tied to Kubernetes, container runtimes, systemd, etc. This feature bridges the knowledge gap between raw, low-level data and more interpretable information, improving the understanding of system behavior.\r\n\r\nWe will illustrate how to use a simple configuration file to set up a data collection pipeline with Inspektor Gadget, resulting in a Prometheus endpoint or an exposed API.\r\n\r\nThroughout the talk, we'll demonstrate Inspektor Gadget's features, support across various environments, discuss its operational mechanics, and share insights into the future direction of the project.\r\n\r\nBy presenting at ASG!, our aim is not just to inform the audience of Inspektor Gadget, but also to encourage feedback and stimulate discussions within the eBPF and Linux community.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "6b3593d4-0cb4-5e0e-b44c-61f0b3c510b0", "id": 127, "code": "XWAVJL", "public_name": "Chris Kuehl", "avatar": null, "biography": "Chris is a long-time member of the Linux community and currently a Principal Technical PM at Microsoft.\r\nFormerly, he was a founder and CEO at Kinvolk which was acquired by Microsoft in 2021. Prior to all that, He was a member of the GNOME community working on various projects.\r\nChris is a founder of the All Systems Go! and Cloud Native Rejekts conferences.", "answers": []}, {"guid": "9da02c52-3fed-543e-8210-182d8174775b", "id": 28, "code": "MQVR9X", "public_name": "Alban Crequy", "avatar": "https://cfp.all-systems-go.io/media/photo-alban.jpg", "biography": null, "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/XLQNDJ/", "id": 195, "guid": "436d7e44-4792-5cc0-a4db-764ae5595467", "date": "2023-09-13T11:15:00+02:00", "start": "11:15", "logo": "https://cfp.all-systems-go.io/media/all-systems-go-2023/submissions/XLQNDJ/systemd-logo_QXIg6eL.png", "duration": "00:40", "room": "Main Hall", "slug": "all-systems-go-2023-195-system-and-configuration-extensions-for-image-based-linux-distros-and-beyond", "title": "System and Configuration Extensions for Image-based Linux Distros and Beyond", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "Using an image-based OS brings advantages and challenges. One challenge is the customization of a read-only image with additional host-level software and configuration, and how to manage this customization through the lifetime of a machine.\r\n\r\nFor deeper changes in /usr, users might build their own images instead of following the official image updates. For common scenarios, the vendor may choose to offer multiple image flavors. Simpler user customization can live outside of the read-only /usr, scattered as config files and binaries in /etc and /opt. Configuration management tools struggle with reliable (re)configuration because tracking filesystem state is hard.\r\n\r\nThe systemd project now supports a mechanism for extension images. There are two types; system extensions create an overlay for /usr or /opt and configuration extensions create an overlay for /etc. Through the overlay, users can thus change the read-only /usr without building custom OS images. Vendors can also offer their supported flavors as extensions instead of different OS images, even as composable stack where the user can choose optional parts. Users can manage their configuration by replacing the extension images atomically. Since the images bundle all files, this prevents old files lingering around or a system in a half-finished state. The read-only extension images help with setting up attestation and integrity enforcement for their contents. For distributions providing prebuilt initrds (e.g., the Fedora mkosi-initrd proposal), extensions allow initrd customization provided by the distribution or user.\r\n\r\nThe presentation will give an overview, share use cases and examples, and discuss future improvements for extension images.", "description": "A recent addition to the systemd toolbox was systemd-sysext for system extensions through overlay images mounted on /usr. Even newer is systemd-confext for configuration extensions through overlay images mounted on /etc.\r\n\r\nThe main use case for systemd-sysext is the customization or deployment of additional software on an image-based OS where /usr is read-only. The use of single images that contain all files allows to reliably manage the changes compared to unpacking files to the root filesystem. Optional dm-verity protection ensures the integrity of the extensions. A simple version matching scheme allows to either couple the extension to the OS version or not. The first case is useful for officially released OS extensions or dynamic linking, the second for static linking and only few assumptions about the host.\r\n\r\nFor systemd-confext the use case is similar as with systemd-sysext but it focuses on configuration in /etc. Here again, the use of single image files makes configuration changes more reliable. Ideally the use of configuration images should allow to have /etc read-only at runtime, following the idea of immutable infra. However, not all software and workflows are prepared for that, and the goal is to introduce different modes for the overlay to, e.g., support ephemeral or persistent changes.\r\nOther plans are to set up the overlay mount from the initrd already to have all configuration in place as early as possible, and to improve the live reload behavior through atomic mount operations and system reload actions.\r\n\r\nThe presentation will show how to use systemd-sysext/confext and share some examples from Flatcar Container Linux and an embedded Linux platform for both coupled and decoupled extensions.", "recording_license": "", "do_not_record": false, "persons": [{"guid": "a6e136fb-6800-5c80-8576-8d35b1b092f1", "id": 135, "code": "RKHANR", "public_name": "Kai L\u00fcke", "avatar": "https://cfp.all-systems-go.io/media/avatars/head_crop_new_BvEAtij.jpg", "biography": "I work on Flatcar Container Linux for some years now and also had my hands on the Kubernetes distribution Lokomotive and the eBPF tooling Inspektor Gadget and traceloop. As part of the Kinvolk team I joined Microsoft. In my spare time I'm maintaining GNOME Disks and have many ideas of software yet to be built.", "answers": []}, {"guid": "89fcd83e-9122-5ba6-8d7d-3754eb12f781", "id": 176, "code": "XH9VP9", "public_name": "Maanya Goenka", "avatar": "https://cfp.all-systems-go.io/media/avatars/Intern_Bio_Image_PgKQzeV.jpg", "biography": "I am Maanya Goenka, a software engineer on the Linux Systems Group team at Microsoft. I work on the Azure Boost platform on the development and testing side of things. I graduated from Carleton College in Minnesota, USA, in June 2022 and have been with the team ever since, for almost a year now. I have had the opportunity to work on open-source projects and private Microsoft owned repositories during my time here and am excited to be able to present at this conference and provide a glimpse of some of the work I have been doing at the company so far.", "answers": []}, {"guid": "2718a327-eade-5d9d-b9d8-d78fc12024da", "id": 128, "code": "LAXAC7", "public_name": "Luca Boccassi", "avatar": "https://cfp.all-systems-go.io/media/avatars/f729cde356a4bbf825a5ff10778e362f_pbbNEGH.jpg", "biography": "Software engineer at Microsoft by day, open source developer involved in various projects by night (systemd maintainer, DPDK LTS maintainer, ZeroMQ project co-lead, Debian Developer).", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/FYHCNJ/", "id": 220, "guid": "2a04329f-e886-55dc-b6f2-490004642686", "date": "2023-09-13T12:00:00+02:00", "start": "12:00", "logo": null, "duration": "00:25", "room": "Main Hall", "slug": "all-systems-go-2023-220-retake-of-service-restarts", "title": "Retake of service restarts", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "Stopping the old and starting a new service afresh -- that is what service restart is roughly about. We will look what it comprises in more detail from service manager perspective and also from the service's client end. Thus we will look at how FDSTORE API can be used to smooth service restart. Furthermore, we will review how unit instances may provide further distinction between the stopped and the restarted service. Finally, we go through options that the existing service have to adopt these methods.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "60446a72-0ba8-5104-af7b-0feead8e7c91", "id": 160, "code": "V3ZAUU", "public_name": "Michal Koutn\u00fd", "avatar": "https://cfp.all-systems-go.io/media/avatars/630751_NEyj5P8.png", "biography": "I am employed by SUSE. I work on things related to cgroups.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/XVV9QY/", "id": 184, "guid": "d8645c76-aeb9-5828-8ac8-e1d522b40a4f", "date": "2023-09-13T12:30:00+02:00", "start": "12:30", "logo": null, "duration": "00:25", "room": "Main Hall", "slug": "all-systems-go-2023-184-soft-reboot-atomically-replace-rootfs-and-reboot-userspace-without-kernel-restart", "title": "Soft Reboot: atomically replace rootfs and reboot userspace without kernel restart", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "systemd v254 introduced a new reboot type: soft-reboot. It shortcuts the reboot process by not restarting the kernel, and instead shutting down userspace, followed by re-exec'ing systemd from the new rootfs, starting everything up again. Not only this allows to save time by virtue of doing less work, but it also allow select resources (File Descriptor Store) and select services that do not use the rootfs (Portable Services) to survive the reboot and continue uninterrupted. This talk will explore the details of this new feature, how it works, why it's useful, what are the shortcomings and how to make full use of it.", "description": "In many environments where image-based Linux is used, service interruption intervals are key metrics that need to be minimized as much as possible. On a traditional package-based distributions, the rootfs can be updated piecemeal and userspace services can be restarted one by one - assuming a perfect running dependency tracking system and perfect reliability (need to restart D-Bus? Good luck!).\r\nOn an image-based system this is obviously not possible, so a typical approach is relying on 'kexec', which loads a new kernel + initrd + rootfs, saving some time from a full reboot by avoiding giving back control to the firmware. But it turns out, it's not fast enough.\r\n\r\nsystemd v254 introduced a new reboot type: soft-reboot. This follows in the kexec footsteps by shortcutting the reboot process, and brings it ever further: the kernel is not restarted at all, and instead userspace is shut down and then systemd is re-exec'ed from the new rootfs, starting up again. Not only this allows to save time by virtue of doing less work, but it also allow resources (File Descriptor Store) and select services that do not use the rootfs (Portable Services) to survive the reboot and continue uninterrupted.\r\n\r\nThis talk will explore the details of this new feature, how it works, why it's useful, what are the shortcomings and how to make full use of it.", "recording_license": "", "do_not_record": false, "persons": [{"guid": "2718a327-eade-5d9d-b9d8-d78fc12024da", "id": 128, "code": "LAXAC7", "public_name": "Luca Boccassi", "avatar": "https://cfp.all-systems-go.io/media/avatars/f729cde356a4bbf825a5ff10778e362f_pbbNEGH.jpg", "biography": "Software engineer at Microsoft by day, open source developer involved in various projects by night (systemd maintainer, DPDK LTS maintainer, ZeroMQ project co-lead, Debian Developer).", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/HSEJY9/", "id": 186, "guid": "8b487f6f-30f1-579d-93b9-30bd3f50ab47", "date": "2023-09-13T14:30:00+02:00", "start": "14:30", "logo": null, "duration": "00:40", "room": "Main Hall", "slug": "all-systems-go-2023-186-linux-tpms", "title": "Linux & TPMs", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "Let's get you up to speed on Trusted Platform Modules (TPM 2.0) and Linux. Specifically, the various additions to basic Linux userspace, i.e. systemd in our goal to make measured boot a default on Linux.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "4652e1d6-54e2-54b4-9d86-6cfaa34ae195", "id": 78, "code": "UNJXNH", "public_name": "Lennart Poettering", "avatar": null, "biography": "I work on systemd.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/HGMV9U/", "id": 204, "guid": "4c72dcd2-4b50-59c7-b6a9-0c2bf42bb97d", "date": "2023-09-13T15:15:00+02:00", "start": "15:15", "logo": null, "duration": "00:25", "room": "Main Hall", "slug": "all-systems-go-2023-204-an-unified-tpm-event-log-for-linux", "title": "An Unified TPM Event Log for Linux", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "The TPM event log contains a history of all measurements made with the TPM.\r\nComplete with some context information for each measurement it is intended to\r\nhelp with recreating the current PCR contents. What was meant as a debugging\r\ntool turns out to be of vital importance when trying to remotely attest real\r\nlife systems. This is mostly because of the overuse of certain PCR and the\r\ngeneral mess that is x86\r\nfirmware. \r\n\r\nSadly, there are many event logs. UEFI keeps one for its measurements and those\r\ndone by EFI applications like GRUB and shim. If a system is booted in an MLE\r\nusing tboot the ACM firmware code also maintains an event log that can be\r\naccessed via a pointer in an ACPI table. Now, systemd also has an event log\r\nthat is mixed into the general journal log. Finally Linux IMA maintains it's\r\nown event log -- an append-only, in-kernel data structure.\r\n\r\nOn top of that every bootloader or userspace application that wants to measure\r\nsomething into the TPM will also need to maintain an event log. \r\n\r\nHow about we fix that? The talk will sketch out a solution that maintains a\r\nunified, global event log of the whole system on disk and exposes an interface for\r\nother applications that wish to measure things into the TPM. We'll also fix a\r\nrace conditions in IMA as well as correctly handle S3 resume w.r.t measured boot\r\nwhile we're at it.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "120ecf8f-6e4f-5e3a-91e1-5b1fe7cfc12c", "id": 150, "code": "H3QMEF", "public_name": "Kai Michaelis", "avatar": "https://cfp.all-systems-go.io/media/avatars/headshot-200px_I5TH5au.jpg", "biography": "Kai is co-founder of Niche Systems and board member of the Open Source Firmware Foundation. He earned a Master's degree in computer security in 2018 from Ruhr University Bochum and has previously worked on remote attestation, firmware and GnuPG.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/8CGF9L/", "id": 198, "guid": "1fb562d0-6fe4-5015-9423-128b5711401f", "date": "2023-09-13T16:30:00+02:00", "start": "16:30", "logo": null, "duration": "00:25", "room": "Main Hall", "slug": "all-systems-go-2023-198-wip-sandboxing-apt", "title": "WIP: Sandboxing APT", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "A short case study on where we are with sandboxing APT; what gaps there are and what technologies we looked at.", "description": "Downloading packages, verifying packages, installing packages, protecting user data from snoopy or broken maintainer scripts. A package manager has a lot of places that can need some sort of sandboxing.\r\n\r\nAPT currently employs a minimal sandbox using a separate user for downloading, and optionally seccomp. This talk will explore that, the caveats and some more avenues like landlock, running apt in systemd isolation (useful for our apt-based .service units), file descriptor passing into sandbox.", "recording_license": "", "do_not_record": false, "persons": [{"guid": "b01a0326-b551-5bd0-bc78-452e8ff93cd8", "id": 144, "code": "WYKK3T", "public_name": "Julian Andres Klode", "avatar": null, "biography": "Julian started working on Debian and Ubuntu in his free time in 2007 in the area of package management, contributing to apt itself since 2009, primarily since 2015, and joined Canonical in 2018 where he continued working on apt as well as other system software, testing automation, and boot loaders.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/3Z7XEE/", "id": 183, "guid": "1d8a5caa-369e-5950-a072-9d9e1bb4a807", "date": "2023-09-13T17:00:00+02:00", "start": "17:00", "logo": null, "duration": "00:25", "room": "Main Hall", "slug": "all-systems-go-2023-183-y2038-replace-utmp-with-logind", "title": "Y2038: replace utmp with logind", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "The utmp implementation of glibc uses on quite some 64bit architectures a 32bit time variable, which leads to an overflow on 03:14:07 UTC on 19 January 2038. This talk will explain the current work on replacing utmp with logind.", "description": "The year 2038 problem (also known as Y2038) is a time formatting bug on Unix systems with representing times after 03:14:07 UTC on 19 January 2038. This happens with a 32bit time_t, not with a 64bit time_t. The general statement so far has always been that on 64bit systems with a 64bit time_t you are safe with respect to the Y2038 problem. But this isn't correct: on bi-arch systems like x86-64 (so which can execute 64bit and 32bit binaries) glibc defines __WORDSIZE_TIME64_COMPAT32, which leads to the fact, that struct utmp (used for utmp, wtmp and btmp) and struct lastlog uses int32_t instead of time_t. So we have a Y2038 problem, which is not easy fixable, as this would require ABI and on disk format changes. In this talk I will speak about the background, which tools are affected and a radical solution: drop utmp, wtmp, btmp and lastlog completely and make use of systemd-logind and other tools instead.", "recording_license": "", "do_not_record": false, "persons": [{"guid": "adc8245a-9903-5969-a96e-7fd63000f67e", "id": 82, "code": "PU9L3K", "public_name": "Thorsten Kukuk", "avatar": "https://cfp.all-systems-go.io/media/Kukuk-Portrait-640x480.jpg", "biography": "I'm a Destinguished Engineer at SUSE and with the company now for more than 24 years. Additional I'm the Senior Architect for MicroOS and leading the Future Technology Team. Previously, I was the primary Project Manager for the SLES for many years. I have a long history in open source projects.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/R3SWBQ/", "id": 199, "guid": "87dfe1c5-dca2-5733-9836-fe2e3c9d625c", "date": "2023-09-13T17:30:00+02:00", "start": "17:30", "logo": null, "duration": "00:05", "room": "Main Hall", "slug": "all-systems-go-2023-199-64-bit-timet-on-armhf-running-abi-compliance-checker-on-all-of-ubuntu", "title": "64-bit time_t on armhf: Running abi-compliance-checker on all of Ubuntu", "subtitle": "", "track": null, "type": "Lightning talk", "language": "en", "abstract": "Some quick numbers and maybe curiousities from our work on evaluating which libraries need to be rebuilt for 64-bit time_t on armhf in Ubuntu using abi-compliance-checker.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "b01a0326-b551-5bd0-bc78-452e8ff93cd8", "id": 144, "code": "WYKK3T", "public_name": "Julian Andres Klode", "avatar": null, "biography": "Julian started working on Debian and Ubuntu in his free time in 2007 in the area of package management, contributing to apt itself since 2009, primarily since 2015, and joined Canonical in 2018 where he continued working on apt as well as other system software, testing automation, and boot loaders.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/9MVYFU/", "id": 209, "guid": "deb3e7cc-824d-5af6-85a0-c96897749d90", "date": "2023-09-13T17:35:00+02:00", "start": "17:35", "logo": null, "duration": "00:05", "room": "Main Hall", "slug": "all-systems-go-2023-209-casync-is-not-dead-or-how-i-learned-to-love-desync", "title": "Casync is not dead, or how I learned to love desync", "subtitle": "", "track": null, "type": "Lightning talk", "language": "en", "abstract": "Image based OS updates are the future. One way to handle updates is via\r\ncontent-addressable synchronisation software, like casync and desync.\r\n\r\nThis talk with give a presentation about the two - their overall design,\r\nfeature set and strengths and weaknesses. It will also demonstrate a real\r\nworld use-case of them.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "8fc1c5bd-2c27-541d-8a20-0fc1cfde02df", "id": 154, "code": "D33KVM", "public_name": "Emil Velikov", "avatar": null, "biography": "Open source developer, geeking across the stack\r\n\r\nFormer #mesa3d release manager, Linux, Mesa, Xorg, Wayland, libva ... contributor.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/T3LJAM/", "id": 178, "guid": "951809c2-3c8f-547a-bc5d-9b0ecea47e00", "date": "2023-09-13T17:40:00+02:00", "start": "17:40", "logo": null, "duration": "00:05", "room": "Main Hall", "slug": "all-systems-go-2023-178-pid-fd-ize-all-the-things-", "title": "PID FD-ize all the things!", "subtitle": "", "track": null, "type": "Lightning talk", "language": "en", "abstract": "A quick overview of the work in progress to plumb PID FDs through Linux userspace, to achieve resilience and security improvements", "description": "Process ID File Descriptors were introduced in Linux v5.3. They allow tracking a process reliably, without risking races and reuse attacks, as they always refer to one single process regardless of the actual PID, so if the process goes away the file descriptor will become invalid, even if a new process with the same PID reappears at the same time.\r\n\r\nTracking processes in userspace is needed for various purposes, for example to authenticate actions via Polkit. This has been historically fragile, and various workarounds such as tracking a PID plus a UID plus a start time were put in place. D-Bus implementations also have methods to query a D-Bus' endpoint's PID, UID and GIDs.\r\n\r\nRecently work has been done to plumb PID FDs through all these components - systemd is able to receive queries asking for the session information or unit information via a PID FD, D-Bus implementations return the PID FD of a D-Bus endpoint via GetConnectionCredentials()/GetConnectionUnixProcessFD() (and they track processes via FD rather than PID), and Polkit allows writing rules authorizing by the systemd service name, which is possible to do safely thanks to using FDs all the way through.\r\n\r\nThis lightning talk will quickly go through these improvements, showing how PID FDs can be used to improve userspace and provide concrete benefits.", "recording_license": "", "do_not_record": false, "persons": [{"guid": "2718a327-eade-5d9d-b9d8-d78fc12024da", "id": 128, "code": "LAXAC7", "public_name": "Luca Boccassi", "avatar": "https://cfp.all-systems-go.io/media/avatars/f729cde356a4bbf825a5ff10778e362f_pbbNEGH.jpg", "biography": "Software engineer at Microsoft by day, open source developer involved in various projects by night (systemd maintainer, DPDK LTS maintainer, ZeroMQ project co-lead, Debian Developer).", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/PVJQTH/", "id": 194, "guid": "f6836b6c-af3e-5696-a7b8-e7562129c180", "date": "2023-09-13T17:45:00+02:00", "start": "17:45", "logo": null, "duration": "00:05", "room": "Main Hall", "slug": "all-systems-go-2023-194-principle-of-least-configuration", "title": "Principle of least configuration", "subtitle": "", "track": null, "type": "Lightning talk", "language": "en", "abstract": "The journey of developing a Linux platform to require very little in the way of configuration management, and how to virtually eliminate the need to modify code to change configuration. From configuration via scripts and evolving through a couple of configuration management products, we have used the idea of matching actions to timescales to transform how we do configuration management. We now do very little of it, and we have dramatically reduced its complexity.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "202f45e7-dd9e-5730-8266-7de84d729a0b", "id": 141, "code": "KYFTZR", "public_name": "James Morris", "avatar": "https://cfp.all-systems-go.io/media/avatars/jamesm-facebook_xYuknAf.jpg", "biography": "Worked in Tech Infrastructure in financial services since 2001. Currently working in Platform and Virtualization Engineering at Two Sigma in NYC. Responsibilities include configuration management, host automation, code shepherding, container and os image generation and baremetal installation and upgrades", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/VAY88J/", "id": 246, "guid": "cbb0a279-92a8-5cd0-8a38-70598b454214", "date": "2023-09-13T17:50:00+02:00", "start": "17:50", "logo": null, "duration": "00:05", "room": "Main Hall", "slug": "all-systems-go-2023-246-attaching-cpus-via-usb", "title": "Attaching CPUs via USB", "subtitle": "", "track": null, "type": "Lightning talk", "language": "en", "abstract": "All Systems Go! lightning talk", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "a3b3a4b0-b306-55d3-ba20-4e03286f0d77", "id": 193, "code": "7HJGEZ", "public_name": "Jiji Freya Daniel Maslowski", "avatar": "https://cfp.all-systems-go.io/media/avatars/7HJGEZ_NfOmOu5.jpg", "biography": ".", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/AKNDS3/", "id": 245, "guid": "ce80491f-f570-5fc3-af6d-0a7004cc5797", "date": "2023-09-13T17:55:00+02:00", "start": "17:55", "logo": null, "duration": "00:05", "room": "Main Hall", "slug": "all-systems-go-2023-245-tvix-store", "title": "tvix-store", "subtitle": "", "track": null, "type": "Lightning talk", "language": "en", "abstract": "All Systems Go! lightning talk", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "62d70a9f-9080-5003-9ab8-cc9a65bd0da9", "id": 87, "code": "TFFJ7J", "public_name": "flokli", "avatar": null, "biography": ".", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/8P7XKH/", "id": 247, "guid": "96f873c3-8d89-5023-b199-428ff9c27f26", "date": "2023-09-13T18:00:00+02:00", "start": "18:00", "logo": null, "duration": "00:05", "room": "Main Hall", "slug": "all-systems-go-2023-247-carbon-os-homed", "title": "Carbon OS + homed", "subtitle": "", "track": null, "type": "Lightning talk", "language": "en", "abstract": "All Systems Go! lightning talk", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "7be0cd5a-f521-5d29-8aa5-6a45a892d7e1", "id": 194, "code": "9SEAQ8", "public_name": "Adrian Vovk", "avatar": "https://cfp.all-systems-go.io/media/avatars/profilepic_w5Qy8ZI.jpg", "biography": null, "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/WATVQQ/", "id": 243, "guid": "0b2a5b65-8762-560d-9dff-3c35b8dc758f", "date": "2023-09-13T19:00:00+02:00", "start": "19:00", "logo": null, "duration": "04:00", "room": "Main Hall", "slug": "all-systems-go-2023-243-evening-social-event-mein-haus-am-see", "title": "Evening Social Event @ Mein Haus am See", "subtitle": "", "track": null, "type": "Social event", "language": "en", "abstract": "The social event will take place, once again, at [Haus am See](https://goo.gl/maps/PShjH32z7BJJJB2L9) from 19:00-23:00. Food will be served and drinks tokens will be handed out at the door.\r\n\r\n**19:00-21:00** - Food and drinks on the ground floor with access to the club are on the lower level\r\n**21:00-23:00** - We move to the club area on the lower floor which we have exclusively for more drinks and mingling. The ground floor will be open for non-All Systems Go! folks.\r\n\r\nYou can stay after after 23:00 but after that point there is no official All Systems Go! function and you're own your own. ;)", "description": "", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "attachments": [], "answers": []}], "Dome": [{"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/ZJDHRA/", "id": 221, "guid": "6052bed1-946c-5a62-ac89-10ce04c66347", "date": "2023-09-13T10:30:00+02:00", "start": "10:30", "logo": null, "duration": "00:40", "room": "Dome", "slug": "all-systems-go-2023-221-encrypted-btrfs-subvolumes-keeping-container-storage-safe", "title": "Encrypted Btrfs Subvolumes: Keeping Container Storage Safe", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "At Meta, we've been working to add encryption support to btrfs, with exciting implications for per-container security. Traditionally encryption has either dealt with whole disks, with LUKS, or with a few filesystems: ext4, f2fs, ubifs, and ceph, lacking in advanced volume management. Btrfs has several features these filesystems don't: deduplicating/reflinking identical data, subvolume/snapshot management, and integrated checksumming. These features allow giving containers their own encrypted subvolume with a key only loaded when the container is running, preventing container storage from being read while turned off, and making deletion of expired containers' storage secure.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "20cd54bd-0f6e-5662-91ee-41c59b967a2c", "id": 164, "code": "3QBAJY", "public_name": "Sweet Tea Dorminy", "avatar": "https://cfp.all-systems-go.io/media/avatars/profile_T8iSa2w.jpg", "biography": "I (Sweet Tea) have worked on kernel storage since graduating from MIT in 2013. I've been a fan of open source, particularly storage technology, since I started using Gentoo in '05, and was fortunate to get a job out of college working on Linux kernel storage. I began at a startup called Permabit working on a then-proprietary software-defined storage device providing dedupe and compression, which was acquired by Red Hat in 2017. dm-vdo has now been open sourced and is working on going upstream soon. In 2022, I joined the btrfs team at Meta, and have been working on adding filesystem encryption to btrfs since.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/FZNLRT/", "id": 177, "guid": "98476160-5697-521e-9cc0-d1ce6128ffcf", "date": "2023-09-13T11:15:00+02:00", "start": "11:15", "logo": null, "duration": "00:40", "room": "Dome", "slug": "all-systems-go-2023-177-forensic-container-checkpointing-and-analysis", "title": "Forensic container checkpointing and analysis", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "With the introduction of \"Forensic Container Checkpointing\" in Kubernetes 1.25 it is possible to checkpoint containers. The ability to checkpoint containers opens up many new use cases. Containers can be migrated without loosing the state of the container, fast startup from existing checkpoints, using spot instances more effective. The primary use case, based on the title of the Kubernetes enhancement proposal, is the forensic analysis of the checkpointed containers.\r\n\r\nIn this session I want to introduce the different possible use cases of \"Forensic Container Checkpointing\" with a focus on how to perform forensic analysis on the checkpointed containers. The presented use cases and especially the forensic analysis will be done as a live demo giving the audience a hands on experience.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "3451ea7b-2290-5a28-8b41-8bf5843c5ff4", "id": 83, "code": "EQARQM", "public_name": "Adrian Reber", "avatar": "https://cfp.all-systems-go.io/media/2018-adrian.jpg", "biography": "Adrian is a Senior Principal Software Engineer at Red Hat and is migrating processes at least since 2010. He started to migrate processes in a high performance computing environment and at some point he migrated so many processes that he got a PhD for that. Most of the time he is now migrating containers but occasionally he still migrates single processes.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/GUVYJ7/", "id": 228, "guid": "34203612-1025-5359-85f9-d42f13739426", "date": "2023-09-13T12:00:00+02:00", "start": "12:00", "logo": "https://cfp.all-systems-go.io/media/all-systems-go-2023/submissions/GUVYJ7/Straus-196_hAmMwdH.png", "duration": "00:25", "room": "Dome", "slug": "all-systems-go-2023-228-why-would-you-still-want-to-use-strace-in-2023-", "title": "Why would you still want to use strace in 2023?", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "strace is a traditional userspace tracer utility for Linux, implemented using ptrace API. Despite of the abundance of various kernel tracing interfaces nowadays, there are certain classes of tasks that are still better served by strace. In this talk the maintainer of strace will provide examples of such tasks.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "0c77d5ea-f22e-55b4-bf6e-04b5e020a93a", "id": 167, "code": "SWS8EA", "public_name": "Dmitry Levin", "avatar": "https://cfp.all-systems-go.io/media/avatars/5da4fd48c49befce9575f7b3073bd9c1_dYwfbN2.jpg", "biography": "Dmitry is a long time contributor to free software projects, including strace, Linux kernel, the GNU libc, Linux-PAM, systemd, and many others.\r\nBeing the maintainer of strace since 2009, Dmitry gives talks about this tool for various audiences.", "answers": []}, {"guid": "d14b2f10-0086-5f54-bf8b-8c4393ad373c", "id": 169, "code": "FPVJVT", "public_name": "Eugene Syromiatnikov", "avatar": "https://cfp.all-systems-go.io/media/avatars/avatar_v4rJurq.jpg", "biography": "A strace developer. Used to work in an HPC-related field. Currently employed at Red Hat as a software engineer in the kernel maintainers team, responsible for producing Driver Updates, and maintenance of various RHEL packages, including strace and Intel CPU microcode updates.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/BKLNWP/", "id": 196, "guid": "b84d0d61-aaea-559f-99f3-6cc774022ba9", "date": "2023-09-13T12:30:00+02:00", "start": "12:30", "logo": null, "duration": "00:25", "room": "Dome", "slug": "all-systems-go-2023-196-bpfilter-a-bpf-based-packet-filtering-framework", "title": "bpfilter: a BPF-based packet filtering framework", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "Let's discuss about `bpfilter`, a userspace daemon that empowers services to create efficient packet-filtering BPF programs using a high-level representation of filtering rules.", "description": "For a significant period, `bpfilter` wasn't more than an empty [usermode helper](https://cateee.net/lkddb/web-lkddb/STATIC_USERMODEHELPER.html) and an [abandoned patch series](https://lore.kernel.org/bpf/20210829183608.2297877-1-me@ubique.spb.ru). However, it has recently undergone active development as a userspace daemon, which can be found on GitHub at [https://github.com/facebook/bpfilter](https://github.com/facebook/bpfilter). This daemon now offers userspace services a swift and user-friendly interface to generate packet-filtering BPF programs dynamically. This discussion aims to provide further insights into `bpfilter`, including its current capabilities, performance, and ongoing development efforts.", "recording_license": "", "do_not_record": false, "persons": [{"guid": "927015aa-0955-5677-abc8-5cabf7b7d2a7", "id": 142, "code": "FCZUPX", "public_name": "Quentin Deslandes", "avatar": "https://cfp.all-systems-go.io/media/avatars/IMG_0789_SThlbuG.jpeg", "biography": "I work at Meta as part of the Linux Userspace team, aiming to contribute to open-source projects.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/NYLYDK/", "id": 244, "guid": "f0a6d9c9-499d-55e9-a071-d714c0a652d9", "date": "2023-09-13T14:30:00+02:00", "start": "14:30", "logo": null, "duration": "00:40", "room": "Dome", "slug": "all-systems-go-2023-244-new-mount-api", "title": "New Mount API", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "This talk will discuss new features provided by the new kernel mount API interface", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "4578daa3-5966-5464-a326-a09122961c14", "id": 190, "code": "TFMRHB", "public_name": "Christian Brauner", "avatar": null, "biography": null, "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/JVGVHG/", "id": 236, "guid": "fc8d72ed-2ace-584a-913e-f5c1aba730e6", "date": "2023-09-13T15:15:00+02:00", "start": "15:15", "logo": null, "duration": "00:40", "room": "Dome", "slug": "all-systems-go-2023-236-disaggregated-networks-is-network-hardware-special-", "title": "Disaggregated networks: Is network hardware special?", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "Despite being ordinary computers with an ASIC for switching, in reality network hardware must still be treated differently from normal servers. In recent years a lot has improved, and vendors offer white box switches, allowing users to install a (network) operating system of their choice. Of course, the NOS needs to support the firmware interface for the particular ASIC, and this is not standardized: swtitchdev, DSA, SAI \u2013 none of them supporting all devices. Due to SONiC dominance, a lot of vendors seem to support SAI (Switch Abstraction Interface). But SAI requires a proprietary external Linux kernel module. On the NOS side, Open Network Linux was abandoned, and Azure\u2019s SONiC is the new popular kid on the block, running a Docker daemon. There are other differences in the network hardware ecosystem: For example ONIE as the bootloader environment. Also working with upstream and using established software developing practices are lacking, resulting in a maintenance burden. Projects like DENT or OpenWrt go one step further by only supporting upstream Linux kernel interfaces, but now dentOS is also going to support SAI.\r\n\r\nThis talk gives a short introduction into the network operating systems, and then focuses on DENT with the ONL fork dentOS, and shares experiences. Curiously, problems how to treat firmware blobs and discussions about what distribution to use as a base, are not unknown to these projects either.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "3617bc37-909b-5250-9332-926bd79fb5ab", "id": 172, "code": "H7ENNU", "public_name": "Paul Menzel", "avatar": null, "biography": "A economic-mathematician by education, administrating and working on FLOSS made the most fun. Working for three years on deploying Ruby-on-Rails applications, I joined the Max Planck Institute for Molecular Genetics, which is one of the institutes still trying to understand the whole IT infrastructure, and therefore relies on FLOSS \u2013 especially everything GNU/Linux related.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/HZY3K8/", "id": 237, "guid": "b635ab86-0c62-5ad3-a2dc-c09ac21b12d8", "date": "2023-09-13T16:30:00+02:00", "start": "16:30", "logo": null, "duration": "00:25", "room": "Dome", "slug": "all-systems-go-2023-237-booting-fast-why-does-power-on-to-login-still-last-longer-than-one-second-", "title": "Booting fast: Why does power-on to login still last longer than one second?", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "In light of the climate crises, and despite hardware getting faster and faster, fully powering down systems and back on on demand \u2013 the obvious choice \u2013 is still inconvenient, as boot times are still very long. Even ChromeOS still has not lowered its limit from ten seconds since years. Show the current status of the hobby project on x86 hardware, and give an overview of recent Linux kernel developments getting rid some of the delays.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "3617bc37-909b-5250-9332-926bd79fb5ab", "id": 172, "code": "H7ENNU", "public_name": "Paul Menzel", "avatar": null, "biography": "A economic-mathematician by education, administrating and working on FLOSS made the most fun. Working for three years on deploying Ruby-on-Rails applications, I joined the Max Planck Institute for Molecular Genetics, which is one of the institutes still trying to understand the whole IT infrastructure, and therefore relies on FLOSS \u2013 especially everything GNU/Linux related.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/99PZDY/", "id": 225, "guid": "19097443-0868-5d9f-a563-8a9cde5e5a07", "date": "2023-09-13T17:00:00+02:00", "start": "17:00", "logo": "https://cfp.all-systems-go.io/media/all-systems-go-2023/submissions/99PZDY/tar_pzOsyxR.jpg", "duration": "00:25", "room": "Dome", "slug": "all-systems-go-2023-225-making-a-magic-deduplicating-tar-using-the-ficlone-ioctl", "title": "Making a magic deduplicating tar using the FICLONE ioctl", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "A walkthrough of an interesting use case for the `FICLONE` ioctl: cloning file data into a tar archive, and cloning files out of it again. \"Free\" archiving and unarchiving at zero-copy speeds!\r\nTopics:\r\n\r\n- Copy-on-write and the `FICLONE` ioctl\r\n- The ancient `tar` format\r\n- A trick for adding arbitrary padding to the `tar` format in order to force file system page alignment\r\n- How to avoid symlink attacks and other TOCTOU issues, using the fairly recently introduced (linux 5.6) `openat2` system call.\r\n- An interesting bug in GNU tar\r\n\r\nAt the end you'll receive a free autographed copy of [deduptar](https://git.sr.ht/~nullenenenen/deduptar/tree/master/item/README.md) to use for party tricks. \ud83e\udd73", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "b2d7eb77-e990-5b0f-80dd-7cee7a1c58d8", "id": 145, "code": "TSYEWZ", "public_name": "Wicher Minnaard", "avatar": "https://cfp.all-systems-go.io/media/avatars/wicher3_1AHbLw9.jpg", "biography": "Computer forensic investigator turned software engineer.\r\nI enjoy looking under the hood of pretty much anything.\r\n\r\nCurrently [working as a backend engineer](https://www.linkedin.com/in/ofcourse) with Django+PostgreSQL, plus Android app development, network engineering, and any odd-size problems that come my way thrown in.", "answers": []}], "links": [], "attachments": [], "answers": []}]}}, {"index": 2, "date": "2023-09-14", "day_start": "2023-09-14T04:00:00+02:00", "day_end": "2023-09-15T03:59:00+02:00", "rooms": {"Main Hall": [{"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/7LVG99/", "id": 217, "guid": "92ddb5a3-da61-5f0b-8cd4-fa2c71d1d4f6", "date": "2023-09-14T09:45:00+02:00", "start": "09:45", "logo": null, "duration": "00:40", "room": "Main Hall", "slug": "all-systems-go-2023-217-confidential-compute-state-of-the-art-and-how-to-get-started", "title": "Confidential Compute: State-of-the-art and how to get started", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "Confidential compute is a new compute and programming paradigm to run an application in enclave, a run-time encrypted and authenticated trusted execution environment. We give an overview of the current technologies provided by AMD, Intel and ARM. We also give an overview of open source tools to leverage compute along a tutorial to enclave any applications with few command lines.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "c557ba17-cdf5-5602-b90c-0f0e9993de9f", "id": 161, "code": "DEAVXK", "public_name": "Sebastian Gajek", "avatar": "https://cfp.all-systems-go.io/media/avatars/IMG_7326_vM5jo4g.jpeg", "biography": "Professor for IT security and CTO at enclaive.cloud. Cryptographer by heart, chasing for a solution how to guard cloud and cloud native applications since 2004. Proud dad, Shiba Inu walker, and husband", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/GFDUHW/", "id": 242, "guid": "0806cc18-d412-574f-bba5-d34a0e8ae61d", "date": "2023-09-14T10:30:00+02:00", "start": "10:30", "logo": null, "duration": "00:25", "room": "Main Hall", "slug": "all-systems-go-2023-242-trusted-confidential-and-cloud-native-workloads-an-intro-to-the-confidential-containers-project", "title": "Trusted, Confidential and Cloud Native Workloads. An intro to the Confidential Containers project", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "The talk wants to provide a brief introduction into Confidential Containers Project. We'll discuss the rationale behind Confidential Computing and how concepts like Trusted Computing or Remote Attestation can be leveraged by end-users to guard their workloads not only from malicious actors but also their cloud service provider. Confidential Containers, an open-source CNCF project, aims to extend the experience of deploying cloud-native software on Kubernetes with the option to move sensitive workloads into confidential enclaves with minimal friction to the user experience. We'll introduce the components and container technologies we are using to achieve that, hint at some conceptual problems we are facing and provide a simple example of how confidential containers work in practice today.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "9a0b45bc-5b84-54cb-b0c0-921bc77619ff", "id": 187, "code": "JJ7BTE", "public_name": "Magnus Kulke", "avatar": "https://cfp.all-systems-go.io/media/avatars/foto_cd_tOk5tsg.jpg", "biography": "Magnus Kulke is a software engineer at Microsoft, working in the Azure Core organization. He has an academic background in Humanities and Computer Science and has been working in the software industry for around 15 years. He is passionate about Open Source, automation, virtualization, and cloud computing. He has been held various engineering and leadership position across different industries, such as mobility, sustainability, and tech. He lives in Berlin with his family.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/E9NVZE/", "id": 189, "guid": "4efe611a-d60a-5f5d-b5fe-73c319e0c563", "date": "2023-09-14T11:00:00+02:00", "start": "11:00", "logo": null, "duration": "00:25", "room": "Main Hall", "slug": "all-systems-go-2023-189-systemd-boot-integration-in-opensuse", "title": "systemd-boot integration in openSUSE", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "openSUSE is a general purpose, rpm based distribution. One of it's unique features is the use of btrfs snapshots to offer rollback of the root file system of both traditional as well as transactional systems. This talk explains the challenges faced to integrate systemd-boot into openSUSE.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "983d1873-a1a1-53b6-8e49-7309bf5aefc2", "id": 138, "code": "XQAARK", "public_name": "Ludwig Nussel", "avatar": null, "biography": "Ludwig is a senior operating system engineer working for SUSE.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/T3QFGS/", "id": 231, "guid": "9534a381-f859-5abf-94e0-673d1e399f5e", "date": "2023-09-14T11:30:00+02:00", "start": "11:30", "logo": null, "duration": "00:25", "room": "Main Hall", "slug": "all-systems-go-2023-231-kernel-command-line-and-uki-systemd-stub-and-the-stubby-alternative", "title": "Kernel command line and UKI; systemd-stub and the \u2018stubby\u2019 alternative", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "Modification of the kernel command line has historically been one of the easiest ways to customize system behavior.  Bootloaders allow for persistent changes via config-files and on-the-fly changes interactively during system boot.\r\n\r\nSystem behavior changes made via the kernel command line are not limited to the kernel itself. Userspace applications from installers to init systems and beyond also take input from /proc/cmdline.\r\n\r\nIt is clear that some kernel command line options are desirable (console=ttyS0 verbose) and possibly even necessary. Others, such as the cromulent 'init=/bin/sh', can allow circumvention of benefits that Secureboot and TPM provide.\r\nHow to control access to kernel command line modification is a non-trivial subject.  A recent pull request to systemd that added \"command-line addons\" garnered hundreds of comments.\r\n\r\nThis talk will cover:\r\n * The stub loader 'stubby' and its allowed-list approach to kernel command line options.\r\n * Systemd-stub\u2019s solution for command line customization\r\n * System changes that can be made through kernel command line.\r\n * Alternative channels such as smbios oem strings, or qemu 'fw_cfg'", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "2e43ad90-71fb-57a4-83d7-a7cac717e961", "id": 136, "code": "SCQZUS", "public_name": "Scott Moser", "avatar": "https://cfp.all-systems-go.io/media/avatars/5e5af073812bcd558ab3cbbca02250b7_2lG0VGL.jpg", "biography": "Scott Moser is a software engineer for Cisco Systems.  He has worked in software development on linux for more than 20 years.  He and his team at Cisco work on an image-based linux for managing containers.  He has an amazing large family that occupies most of his free time.\r\n\r\nPlease feel free to reach out to smoser on github.com.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/SMQPWM/", "id": 210, "guid": "2793b90e-03aa-5e85-9aab-625ec2233aed", "date": "2023-09-14T12:00:00+02:00", "start": "12:00", "logo": null, "duration": "00:25", "room": "Main Hall", "slug": "all-systems-go-2023-210-a-story-of-a-bootloader-w-wthree-bootloaders", "title": "A story of a bootloader^W^Wthree bootloaders", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "This talk will explore the ideas from Lennart's \"Fitting Everything Together\"\r\nblog post, particularly the A/B partitioning scheme and its bootloader design,\r\ncomparing it with the approach used on the SteamDeck. Spoiler alert, we're not\r\nusing sd-boot.\r\n\r\nWe will focus on the requirements that drove us to the latter design, some \r\nimplementation details, and hurdles we needed to overcome to achieve that\r\nproject.\r\n\r\nLastly, the idea of finding common ground will be entertained where audience\r\nparticipation is greatly encouraged. What features would be acceptable by the\r\nwider systemd community? Would those be enough for the SteamDeck to jump ship?", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "8fc1c5bd-2c27-541d-8a20-0fc1cfde02df", "id": 154, "code": "D33KVM", "public_name": "Emil Velikov", "avatar": null, "biography": "Open source developer, geeking across the stack\r\n\r\nFormer #mesa3d release manager, Linux, Mesa, Xorg, Wayland, libva ... contributor.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/MPAEFK/", "id": 211, "guid": "463d3a88-9385-5d44-a4b2-1e6999c84d4a", "date": "2023-09-14T12:30:00+02:00", "start": "12:30", "logo": null, "duration": "00:25", "room": "Main Hall", "slug": "all-systems-go-2023-211-a-b-partitioning-let-s-talk-about-the-dirty-rw-files", "title": "A/B partitioning - let's talk about the dirty RW files", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "A/B partitioning is great - you hermetically drop-in the whole new OS and boot\r\ninto it. Although, how can we manage and migrate the RW configuration and state\r\nfiles that lie within? Can we do that reliably on both OS upgrades and\r\ndowngrades?\r\n\r\nThis talk will explore the design used on the SteamDeck, the issues\r\nwe've seen while drawing analogies, and future inspiration with \"Fitting\r\nEverything Together\" by Lennart Poettering in mind.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "8fc1c5bd-2c27-541d-8a20-0fc1cfde02df", "id": 154, "code": "D33KVM", "public_name": "Emil Velikov", "avatar": null, "biography": "Open source developer, geeking across the stack\r\n\r\nFormer #mesa3d release manager, Linux, Mesa, Xorg, Wayland, libva ... contributor.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/VPQADA/", "id": 191, "guid": "f1e8fe2b-b5a1-5ff6-9586-0ed7ae2c9119", "date": "2023-09-14T14:30:00+02:00", "start": "14:30", "logo": null, "duration": "00:40", "room": "Main Hall", "slug": "all-systems-go-2023-191-systemd-repart-building-discoverable-disk-images", "title": "systemd-repart: Building Discoverable Disk Images", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "systemd-repart has recently learned many features to make it useful for building discoverable disk images. In this talk, we'll give a deep-dive on the new features and how they can be used to assemble discoverable disk images.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "64e389e2-2834-5cf4-b76a-da7ed318ac1e", "id": 139, "code": "KWFN8B", "public_name": "Daan De Meyer", "avatar": null, "biography": "I'm a maintainer of the systemd and mkosi projects and work on the Linux Userspace team at Meta.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/NEQ9TX/", "id": 213, "guid": "0280099e-afbd-558a-9b42-445f9681ed14", "date": "2023-09-14T15:15:00+02:00", "start": "15:15", "logo": null, "duration": "00:40", "room": "Main Hall", "slug": "all-systems-go-2023-213-exploring-rauc-a-flexible-building-block-for-image-based-updates", "title": "Exploring RAUC: A Flexible Building Block for Image-Based Updates", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "Recently, atomic updates via image based systems have become more relevant for\r\nservers and desktops, as they allow predictable management of large fleets. In the\r\nembedded Linux space, this approach has been the default for many years and\r\nproven updaters exist already.\r\n\r\nIn this talk, we will delve into RAUC and look at how its design and features\r\nhave been driven by the requirements for robust, atomic updates.\r\nThe presentation will introduce the fundamental concepts surrounding A/B fallback\r\nand update signing in the context of embedded Linux updates.\r\nWe will then explore the commonalities and differences between RAUC and systemd's\r\nsysupdate.\r\n\r\nThe discussion will progress to cover RAUC's bundle-based update system, which\r\nallows for comprehensive system updates without the need for local storage,\r\nthanks to HTTP streaming. Additionally, we will demonstrate how adaptive updates\r\nminimize download sizes without necessitating version-specific patch management.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "56418072-5fb8-5ffb-ae4d-d9582d1ff384", "id": 156, "code": "9RPNCE", "public_name": "Rouven Czerwinski", "avatar": "https://cfp.all-systems-go.io/media/avatars/new_avatar_kBWWzwd.jpg", "biography": "Rouven started working with Pengutronix in 2016, initially focusing on testing embedded Linux systems.\r\nSince then he has worked on securing embedded Linux platforms using verified boot and also enabled platforms to provide secret key storage for cloud-connectivity. Nowadays he focuses on the embedded Linux media and graphics stack, debugging performance issues and improving the quality of upstream media pipelines.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/ASV8ZM/", "id": 190, "guid": "739e6145-c6e0-5dc3-a8ed-7d059223ad53", "date": "2023-09-14T16:30:00+02:00", "start": "16:30", "logo": null, "duration": "00:40", "room": "Main Hall", "slug": "all-systems-go-2023-190-mkosi-building-bespoke-operating-system-images", "title": "mkosi: Building Bespoke Operating System Images", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "mkosi is a tool for building operating system images. In this talk we'll give an introduction to mkosi, how we use it to develop systemd and discuss how we want to support running and updating systems with mkosi and other systemd tooling.", "description": "Github repository: https://github.com/systemd/mkosi/\r\nInitial blog post on mkosi: https://0pointer.net/blog/mkosi-a-tool-for-generating-os-images.html", "recording_license": "", "do_not_record": false, "persons": [{"guid": "64e389e2-2834-5cf4-b76a-da7ed318ac1e", "id": 139, "code": "KWFN8B", "public_name": "Daan De Meyer", "avatar": null, "biography": "I'm a maintainer of the systemd and mkosi projects and work on the Linux Userspace team at Meta.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/G8UZGL/", "id": 206, "guid": "4aa9f6e2-1541-5375-9f20-7602c2193009", "date": "2023-09-14T17:15:00+02:00", "start": "17:15", "logo": null, "duration": "00:25", "room": "Main Hall", "slug": "all-systems-go-2023-206-building-image-based-oses-with-buildstream", "title": "Building image-based OSes with BuildStream", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "BuildStream is a tool for building / integrating software stacks. In a way, it has a similar goal to bitbake / yocto and Android repo, but takes a completely different approach. It can be used to take software from various sources, build it with various buildsystems in a reproducible sandbox, and cache results for speedy rebuilds.\r\n\r\nIn this talk I give a brief overview of Buildstream, how it is used to build GNOME OS, and the challenges we face in using it. I also go over freedesktop-sdk which is a base runtime that can be used as a base to build your own system.\r\n\r\nI also discuss the challenges we encountered with using buildstream with ostree and the steps we're taking to support updating with systemd-sysupdate.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "258abec5-cd5a-53c7-8b2e-d14b805ca7d8", "id": 151, "code": "UKQSUM", "public_name": "Abderrahim Kitouni", "avatar": null, "biography": "Abderrahim is a software engineer at Codethink. He is also a member of the GNOME release team.\r\n\r\nIn a previous life, he was a math teacher at the university of Constantine in Algeria.", "answers": []}, {"guid": "14e679f9-cefe-52cf-973f-e798e32c0e7e", "id": 184, "code": "XDUZPH", "public_name": "Valentin David", "avatar": "https://cfp.all-systems-go.io/media/avatars/939b4227846a271eede9807e074cd4d0_qyYz0nL.jpg", "biography": "By day, Valentin works on Ubuntu Core at Canonical. By night, he contributes to Freedesktop SDK and GNOME OS as a member of the GNOME foundation.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/9E9MLC/", "id": 223, "guid": "e0c11caf-4937-53ec-acbc-2cafc74a6d65", "date": "2023-09-14T17:45:00+02:00", "start": "17:45", "logo": null, "duration": "00:25", "room": "Main Hall", "slug": "all-systems-go-2023-223-antlir2-deterministic-image-builds-with-buck2", "title": "antlir2: Deterministic image builds with buck2", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "In this talk we\u2019ll discuss antlir2, Meta\u2019s solution to building container and bare metal operating system images. We\u2019ll talk about how we have built performant, hermetic and deterministic image building infrastructure on top of buck2 (Meta\u2019s new open source build system) and how we enable users to compose their own multi-language projects with full operating systems, write tests and deploy their images. Along the way, we\u2019ll also cover how antlir2 wrangles dnf and other upstream tooling to behave more predictably for better, more reliable images.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "72b4d815-b5b6-5997-9672-f2ae1fb44302", "id": 166, "code": "XAMSLA", "public_name": "Vinnie Magro", "avatar": "https://cfp.all-systems-go.io/media/avatars/IMG_2866_zZZHCyx.png", "biography": "Production Engineer @ Meta working on filesystem image builds", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/PKSMVD/", "id": 240, "guid": "e7564b70-f4ef-593c-830f-17dc1c965117", "date": "2023-09-14T18:25:00+02:00", "start": "18:25", "logo": null, "duration": "00:05", "room": "Main Hall", "slug": "all-systems-go-2023-240-closing-session-of-all-systems-go-2023", "title": "Closing session of All Systems Go! 2023", "subtitle": "", "track": null, "type": "Lightning talk", "language": "en", "abstract": "Closing session of All Systems Go! 2023", "description": "", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "attachments": [], "answers": []}], "Dome": [{"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/YAHVZG/", "id": 193, "guid": "4a61eec7-aa3a-582f-8919-ae117bd2afad", "date": "2023-09-14T10:00:00+02:00", "start": "10:00", "logo": null, "duration": "00:25", "room": "Dome", "slug": "all-systems-go-2023-193-adventures-of-linux-userspace-at-meta", "title": "Adventures of Linux Userspace at Meta", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "The Linux Userspace team at Meta aims to make significant contributions to upstream userspace projects, while also ensuring that Meta is able to leverage those improvements. In this talk we'll give an overview of the team and brief history of how it was formalized. Then we'll dive deeper into some of the efforts we've worked on with the open source community and features we've adopted internally. Come if you enjoy hearing about systemd, BPF, distributions, and more!", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "29f3302f-3164-5b4a-bb07-c2656bd2a75f", "id": 140, "code": "GFPNWK", "public_name": "Anita Zhang", "avatar": "https://cfp.all-systems-go.io/media/avatars/headshot2022_500_qxuIA1t.png", "biography": "Anita Zhang is the engineerd managerd (i.e. software engineering manager) of Meta's Linux Umbrella collection of teams. It includes the Linux Userspace, OpenBMC Compute/Storage, and Accelerator Userspace teams. She continues to collaborate with the systemd project through her team's contributions.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/Q9YBUZ/", "id": 202, "guid": "4090e292-62ee-5322-ab95-5d8d0180b0ca", "date": "2023-09-14T10:30:00+02:00", "start": "10:30", "logo": null, "duration": "00:25", "room": "Dome", "slug": "all-systems-go-2023-202-talos-linux-trustedboot-for-a-minimal-immutable-os", "title": "Talos Linux - TrustedBoot for a minimal Immutable OS", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "The Talos Linux distribution is built from scratch with the goal of providing a secure, verified, and minimal-footprint operating system for running Kubernetes clusters. Talos is designed to be immutable, minimal, and secure. Talos includes only the bare minimum required to run Kubernetes.\r\n\r\nThis talk will cover how Talos uses Unified Kernel Images (UKIs) to provide immutable, verified, and secure booting. We will also cover how Talos partially conforms to the Linux Userspace API Group specification (UAPI) to implement some of the best practices with regards to fully verifiable TrustedBoot extending to the userspace.", "description": "With the upcoming Talos 1.5 release, Talos ships with custom ISO and metal images that are UKI compliant. This means that the kernel, initramfs, and the root filesystem are all signed and verified by the bootloader. This allows Talos to provide a fully verified boot process from the bootloader to the userspace attested by TPM.\r\n\r\n This talk will cover the following topics:\r\n\r\n- Building UKI (ukify.py implementation in Go)\r\n    - Issues with reproducibility\r\n- sd-boot\r\n- sd-stub\r\n- Upgrades/Rollbacks\r\n- systemd-measure and systemd-cryptenroll partial implementation in Go\r\n\r\nFuture work:\r\n\r\n- IMA attestations for userspace runtime binaries (etcd, kubelet, containerd, etc)\r\n- Talos system extensions as sd-stub compatible sysexts\r\n- Kexec with Secureboot (how can we verify the TPM PCR values are populated correctly with values from new UKI)", "recording_license": "", "do_not_record": false, "persons": [{"guid": "fd046a20-ba97-5628-b056-d1cdec2d8813", "id": 148, "code": "FJ9YKN", "public_name": "Noel Georgi (he/him)", "avatar": "https://cfp.all-systems-go.io/media/avatars/FJ9YKN_PezDPMb.jpg", "biography": "Engineer at Sidero Labs\r\n\r\nOutside work talks actively about politics, loves traveling and trails on motorbike.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/DP3JXQ/", "id": 214, "guid": "6006a4d6-b952-564b-abc7-44d3d2e3994d", "date": "2023-09-14T11:00:00+02:00", "start": "11:00", "logo": null, "duration": "00:25", "room": "Dome", "slug": "all-systems-go-2023-214-writing-your-own-nixos-modules-for-fun-and-hopefully-profit", "title": "Writing your own NixOS modules for fun and (hopefully) profit", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "This talk will be a whirlwind overview of NixOS modules and the lessons I've learned with maintaining and writing new ones.", "description": "Nix modules are the core of how you organize configuration and service config, but there's a lot of \"draw the rest of the owl\" subtext as to how you actually go about writing them. This talk covers some best practices for how to write and organize your NixOS modules so that you can have fun and hopefully profit from it.", "recording_license": "", "do_not_record": false, "persons": [{"guid": "aca9e6fe-251c-5021-9072-2c0cf4934990", "id": 157, "code": "9XQT3K", "public_name": "Xe Iaso", "avatar": "https://cfp.all-systems-go.io/media/avatars/Xe_Iaso_Headshot_With_Background_1_PBG050D.png", "biography": "Xe Iaso is an Archmage of Infrastructure who loves to work with various programming languages, data mashups and WebAssembly. Their blog xeiaso.net is regularly cited as one of the best places to learn Nix and NixOS. Xe is passionate about sharing their knowledge and experience with others, and has given talks at various conferences and events. Xe is also a coffee lover, a voice control enthusiast and a proud owner of a cheese grater that saved Christmas.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/77YDZ8/", "id": 219, "guid": "bb932844-2a47-55af-8f56-3e07f06909cf", "date": "2023-09-14T11:30:00+02:00", "start": "11:30", "logo": null, "duration": "00:40", "room": "Dome", "slug": "all-systems-go-2023-219-fast-correct-reproducible-builds-with-nix-bazel", "title": "Fast, correct, reproducible builds with Nix + Bazel", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "The build system should get out of the way to let us focus on our tasks, not be distracted by slow or unreliable builds, get fast feedback on changes, and let us know what\u2019s in the software we\u2019re shipping to our users. But, what does it take for a build system to be really fast and reliable? What does it take to know what\u2019s in the software?\r\n\r\nIt requires aggressive parallelism and distributed caching to avoid redundant work between colleagues. And it requires complete knowledge and control of dependencies, build isolation to identify mistakes, and reproducible builds to verify results across machines and strengthen supply-chain security.\r\n\r\nIn this talk you will learn how [Google\u2019s open source build system Bazel](https://bazel.build/) and the [purely functional package manager Nix](https://nixos.org/) join forces to provide fast, correct, and reproducible builds.", "description": "In this talk I will explain what we mean by correct builds, and will motivate why fast and correct builds are important and why you would care about reproducible and isolated builds. We will see how many common build systems fail to provide these desirable properties.\r\n\r\nYou will be introduced to [Google\u2019s open source build system Bazel](https://bazel.build/) and will learn how it provides fast builds, how correctness and reproducibility is relevant, and how Bazel tries to ensure correctness. But, we will also see where Bazel falls short in ensuring correctness and reproducibility.\r\n\r\nYou will learn about the [purely functional package manager Nix](https://nixos.org/) and how it approaches correctness and build isolation. And we will see where Bazel has an advantage over Nix when it comes to providing fast feedback during development.\r\n\r\nI will share how you can get the best of both worlds and combine Nix and Bazel and how you can get started with these tools. But, we will also touch on potential caveats and shortcomings of this approach.", "recording_license": "", "do_not_record": false, "persons": [{"guid": "2c60a97f-9812-5349-98bc-eb9947a0c7e5", "id": 163, "code": "3NWQNH", "public_name": "Andreas Herrmann", "avatar": "https://cfp.all-systems-go.io/media/avatars/cut3_R4XkLsF.jpg", "biography": "Andreas is a physicist turned software engineer. He leads the Scalable Builds Group at Tweag, which contributes to Bazel, Buck2, and Pants, is Google\u2019s first Bazel Community Expert, maintains Bazel extensions, and provides professional services. Andreas is passionate about functional programming, and hermetic and reproducible builds. He lives in Zurich and is active in the local Haskell community.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/3LES8Z/", "id": 207, "guid": "5236ae83-9980-5b09-a7b9-fa12ab46066f", "date": "2023-09-14T12:15:00+02:00", "start": "12:15", "logo": null, "duration": "00:40", "room": "Dome", "slug": "all-systems-go-2023-207-oxidizing-the-arch-linux-packaging-infrastructure", "title": "Oxidizing the Arch Linux packaging infrastructure", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "Arch Linux has worked with its own packaging framework - Arch Linux Package Management (ALPM) - for about 20 years.\r\n\r\nThis talk is about an effort to rewrite low-level components and to create specifications for related metadata files using the Rust programming language.\r\nIt will cover new projects in the ALPM (https://gitlab.archlinux.org/archlinux/alpm/) group as well as several other related ones and give an outlook on future developments using the \ud83e\udd80", "description": "Arch Linux (https://archlinux.org) has worked with its own packaging framework - Arch Linux Package Management (ALPM) - for about 20 years. The tooling consists mainly of scripts for package creation (e.g. `makepkg`, written in Bash) and a package manager (`pacman`, written in C).\r\n\r\nOver the last years several projects for the improvement of the packaging and package distribution ecosystem have been started. Some of which had to reinvent the wheel.\r\n\r\nThis talk is about an effort to rewrite low-level components and to create specifications for related metadata files using the Rust programming language.\r\nIt will cover new projects in the ALPM (https://gitlab.archlinux.org/archlinux/alpm/) group as well as several other related ones and give an outlook on future developments using the \ud83e\udd80\r\n\r\nSlides: https://pkgbuild.com/~dvzrv/presentations/all-systems-go-2023/", "recording_license": "", "do_not_record": false, "persons": [{"guid": "46c9c9eb-3b6b-5aab-819e-41059c57b6db", "id": 152, "code": "ZUFJCM", "public_name": "David Runge", "avatar": "https://cfp.all-systems-go.io/media/avatars/17f86bb0-213f-4589-b0af-8265f7683edd_WItVwVy.jpg", "biography": "I am a freelance software developer working mostly on open technologies.\r\nAs one of the Arch Linux developers I spend some of my free time packaging all sorts of software, as well as writing some of my own for the distribution.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/LBWXKL/", "id": 227, "guid": "5e65dc07-4631-541e-81fe-bb0db3fd3bcc", "date": "2023-09-14T14:30:00+02:00", "start": "14:30", "logo": null, "duration": "00:40", "room": "Dome", "slug": "all-systems-go-2023-227-replica-one-a-software-defined-operating-system", "title": "Replica.one: A Software-defined Operating System", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "Network operating systems commonly provide a stable userspace platform for networking devices. Integration of userspace applications as well as low-level hardware support are handled by firmware build systems.\r\n\r\nExisting build systems for network operating systems display numerous limitations by either targeting only distinct types of devices, using cumbersome methodologies to add additional features or offering insufficient capabilities regarding what to include in the firmware image. In this presentation, we provide an overview of these limitations and how we mitigate them with Replica.one, an Open Source firmware builder which targets the entire networking stack.\r\n\r\nWe will focus on the solution's optimization features, its capability to generate firmware for diverse classes of devices across the entire networking stack, and the flexibility to select the desired operating system between various Linux-based distributions.", "description": "The presentation targets Linux users who are interested in replacing their existing build system infrastructure with a single unified software platform. The flexibility of image-based network operating systems will allow organizations and its users to operate their existing hardware resources more efficiently and securely.\r\n\r\nProfessionals who are working in the domain of firmware build systems to integrate applications and features will benefit from Replica.one\u2019s ease of use as well as powerful image customization capabilities.\r\n\r\nThe novel element of a single platform running on an entire networking infrastructure stack will be of particular interest to a wide range of organizations and companies looking to reduce their operating cost while reaping the benefits of open source community effort.", "recording_license": "", "do_not_record": false, "persons": [{"guid": "eda67cf8-15fe-518a-bc00-4f8afabdc363", "id": 165, "code": "XY7RNN", "public_name": "Jakov Petrina Trnski", "avatar": "https://cfp.all-systems-go.io/media/avatars/PXL_20230524_0931461582_TVrxaCB.jpg", "biography": "Jakov is currently a Firmware Engineer at Sartura. He has previously been involved in the Sysrepo / Netopeer2 project working on OpenWrt plugins.\r\n\r\nJakov is currently leading the development effort behind Replica.one \u2014 an open source firmware build system.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/RV3UZD/", "id": 208, "guid": "5fd12d3a-3144-5f9c-9a72-7515a863b559", "date": "2023-09-14T15:15:00+02:00", "start": "15:15", "logo": null, "duration": "00:40", "room": "Dome", "slug": "all-systems-go-2023-208-opensuse-aeon-desktop-linux-finally-done-right-", "title": "openSUSE Aeon - Desktop Linux finally done right?", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "openSUSE Aeon (formerly MicroOS Desktop) aims to be a fully fledged modern Linux Desktop leveraging as many of the latest user space innovations available including:\r\n\r\n- Immutable OS with Transactional Updates\r\n- Secure Boot\r\n- TPM Encryption\r\n- Flatpaks & OCI containers as primary application delivery\r\n\r\nThis talk will introduce the distribution, highlight the adoption of some of the latest foundational user space technologies as well as share some of the pain points being faced and invite the audience to contribute to this exciting platform.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "5cfeca5c-8098-500d-92d1-f24076f6d47d", "id": 153, "code": "XEVLGB", "public_name": "Richard Brown", "avatar": "https://cfp.all-systems-go.io/media/avatars/958139D9-6D34-4A78-A31B-32DA03B1D51F-26187-00000DFEC09CF0D2_VHmXivh.jpeg", "biography": "Richard is a Distributions Architect at SUSE, where I\u2019ve has worked in various roles since 2013, including QA Engineer, Technical Lead for openQA, and Linux Distribution Engineer.\r\n\r\nAn SUSE/openSUSE user since 2003, finding himself helping out more and more as time went on.\r\n\r\nHe has been intimately involved in many of openSUSE\u2019s most interesting projects over the years, including Evergreen, Leap, Tumbleweed, MicroOS and Kubic. \r\n\r\nHe had the pleasure of being the openSUSE Project\u2019s Chairperson from 2014 until 2019.\r\n\r\nMost recently, He founded the MicroOS Desktop project, now known as openSUSE Aeon.", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/V9EZSS/", "id": 241, "guid": "b11ed4ed-5ea0-5719-b831-0f1826806b45", "date": "2023-09-14T16:30:00+02:00", "start": "16:30", "logo": null, "duration": "00:40", "room": "Dome", "slug": "all-systems-go-2023-241-wolfi-a-secure-by-default-distro-for-curing-container-cve-chaos", "title": "Wolfi: A Secure-by-Default Distro for Curing Container CVE Chaos", "subtitle": "", "track": null, "type": "35 min talk + 5 min Q&A", "language": "en", "abstract": "Are you using container images with hundreds of known vulnerabilities?\r\n\r\nThe majority of us are using images based on the Docker official images available on the Docker Hub. This includes base images \u2013 such as Debian and Ubuntu \u2013 as well as application images such as nginx and redis. Unfortunately these images often have hundreds of known vulnerabilities due to excessively large dependency trees with out-of-date packages. This security debt can lead to unnecessary security risks and slower development cycles.\r\n\r\nWolfi (\u200b\u200bhttps://github.com/wolfi-dev/) is a new Linux distribution optimized for building minimal, secure container images. Wolfi maintainers prioritize a rolling release model built on a rapid package update cycle, which ensures that new vulnerabilities are remediated quickly.\r\n\r\nThis talk not only describes the problems that motivate Wolfi but also provides hands-on knowledge to help developers take advantage of Wolfi. By the end of the talk, developers will learn about packaging techniques with apko and melange, tools specifically designed to build Wolfi packages and turn them into minimal, low- or no-vulnerability containers.", "description": "Key Takeaways and Highlights\r\n\r\nPopular, off-the-shelf base images and containers often have hundreds of known vulnerabilities (\u201cCVEs\u201d), which can, at worst, be a security risk and, at best, be a giant time suck.\r\nWolfi is a new secure-by-default linux distribution that prioritizes rapid package updates and, by extension, fast mean time-to-remediation for known vulnerabilities.\r\nPackages in Wolfi can form the foundation of secure, minimal base images and containers, freeing developers of tedious vulnerability management tasks and increasing security for cloud-native applications.\r\n\r\nTalk Outline\r\n\r\nThe Cloud-Native Application Status Quo: Bloated, Outdated, Vulnerability-Laden Images\r\nContainers 101\r\nShow the results of running security scanners against popular Dockerhub official images\r\nUse (grype, an open source scanner) to scan golang:latest and nginx:latest. Show via command line.\r\nShow data and analysis on package counts, package staleness, vulnerability counts of official Docker Hub images\r\nDraw on six months of daily scanning results collected by presentation team\r\nOverview of Wolfi\r\nFast package update times\r\nFast vulnerability mean time-to-remediation\r\nGranular packages\r\nWolfi packages are often packaged at a more granular level than their counterparts in other distributions, which allows developers to pick and choose only the components that are essential for an image, without dragging in unnecessary functionality and attack surface.\r\nRolling release\r\nWhy not alternative approaches, either other minimal images or using other distros?\r\nGoogle distroless\r\nDebian-based so there can be slow update times for packages\r\nDebian - Slow package updates\r\nHow to build images with Wolfi packages\r\nExplain melange and building packages\r\nExample of building a package with melange\r\nExplain apko and building images\r\nDemo of building an image with apko", "recording_license": "", "do_not_record": false, "persons": [{"guid": "b543d2b5-a116-5532-bd2a-d76790bcfebf", "id": 174, "code": "QAMK8Q", "public_name": "James Strong", "avatar": "https://cfp.all-systems-go.io/media/avatars/QEdFQHQe_400x400_86lEOwF.jpg", "biography": "James joined Chainguard after a long stint of helping customers migrate to the Cloud and Kubernetes. Security was the number one issue he saw when doing these migrations and now wants to help secure their supply chains. James is also the co-author of O\u2019Reilly\u2019s Networking & Kubernetes, KubePhilly Meetup organizer, ACloud Guru instructor and when he is not at a computer, you can find him in the gym doing Olympic weightlifting or on the rugby pitch.", "answers": []}, {"guid": "f0a2f9c4-6b42-5c91-a7a6-ef4daaa170c8", "id": 175, "code": "ABUBDF", "public_name": "Carlos Tadeu Panato Junior", "avatar": "https://cfp.all-systems-go.io/media/avatars/cpanato_RGRCsUF.png", "biography": "Carlos Panato is a Staff Software Engineer at Chainguard, Inc., who\u2019s working on development and infrastructure using Kubernetes and containers. Previously, he\u2019s worked on development, testing, processes, and management. He contributes to several CNCF/LF projects and it is an active community member across the OSS universe", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/7URRNC/", "id": 187, "guid": "6fd882e8-4a24-5805-879e-6e98fa13408c", "date": "2023-09-14T17:15:00+02:00", "start": "17:15", "logo": null, "duration": "00:25", "room": "Dome", "slug": "all-systems-go-2023-187-microsoft-azure-boost-image-based-linux-powering-the-azure-fleet-wait-what-really-yes-", "title": "Microsoft Azure Boost: Image-based Linux powering the Azure fleet. Wait, what? Really?! Yes!", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "A quick journey through the Azure infrastructure, specifically looking at how image-based Linux is used for Azure Boost, what it enables, what interesting security and performance features were added and where to find them upstream.", "description": "Believe it or not, today Linux is right at the core of Microsoft Azure's infrastructure, on the very nodes that run all those fancy virtual machines. Getting there was not easy, and a lot of work was needed to meet the very stringent security and performance goals that were set. We built a custom distribution, added several security features such as signed dm-verity and kernel-enforced code integrity, came up with a way to keep state alive across kexec with PMEM, and implemented the stackable Portable Services image model that ultimately became sysexts and confexts. And much more! This talk will walk through this effort, starting with a peek under the cover at the hardware that powers it and what it enables, passing through the custom OS and ending up at all the features we added to systemd and elsewhere that you all can enjoy as well.", "recording_license": "", "do_not_record": false, "persons": [{"guid": "2718a327-eade-5d9d-b9d8-d78fc12024da", "id": 128, "code": "LAXAC7", "public_name": "Luca Boccassi", "avatar": "https://cfp.all-systems-go.io/media/avatars/f729cde356a4bbf825a5ff10778e362f_pbbNEGH.jpg", "biography": "Software engineer at Microsoft by day, open source developer involved in various projects by night (systemd maintainer, DPDK LTS maintainer, ZeroMQ project co-lead, Debian Developer).", "answers": []}], "links": [], "attachments": [], "answers": []}, {"url": "https://cfp.all-systems-go.io/all-systems-go-2023/talk/QUMHR3/", "id": 215, "guid": "096a6e21-8f61-59d1-918f-b3c7babc49b8", "date": "2023-09-14T17:45:00+02:00", "start": "17:45", "logo": null, "duration": "00:25", "room": "Dome", "slug": "all-systems-go-2023-215-asynchronous-dbus-with-c-co-routines", "title": "asynchronous dbus with C++ co-routines", "subtitle": "", "track": null, "type": "20 min talk + 5 min Q&A", "language": "en", "abstract": "sdbusplus generates ergonomic and compile-time type-checked dbus bindings built atop sd-bus.  This library is heavily used within the OpenBMC project to provide all IPC between its many userspace processes.  This talk will give an overview of how OpenBMC leverages dbus, how sdbusplus facilitates its usage, as well as an introduction on our approach for asynchronous programming with C++ co-routines.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"guid": "fada454c-f997-53e5-9061-26d6d5c53fc5", "id": 158, "code": "SYJHUV", "public_name": "Patrick Williams", "avatar": null, "biography": "Patrick is a software engineer currently at Meta where he leads their BMC software team.  He has worked on systems management firmware at various companies for a long time.  Patrick was one of the founding developers of the OpenBMC project and is a primary maintainer.", "answers": []}], "links": [], "attachments": [], "answers": []}]}}]}}}